About the security content of OS X Yosemite v10.10

This document describes the security content of OS X Yosemite v10.10.

&NewLine;

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

OS X Yosemite v10.10

&NewLine;&Tab;

&NewLine;&Tab;

802.1X

&NewLine;&NewLine;&Tab;

Impact: An attacker can obtain WiFi credentials

&NewLine;&NewLine;&Tab;

Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default.

Impact: A remote attacker could determine all the network addresses of the system

&NewLine;&NewLine;&Tab;

Description: The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4426 : Craig Young of Tripwire VERT

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

apache

&NewLine;&NewLine;&Tab;

Impact: Multiple vulnerabilities in Apache

&NewLine;&NewLine;&Tab;

Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to a denial of service. These issues were addressed by updating Apache to version 2.4.9.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2013-6438

&NewLine;&NewLine;&Tab;

CVE-2014-0098

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

App Sandbox

&NewLine;&NewLine;&Tab;

Impact: An application confined by sandbox restrictions may misuse the accessibility API

&NewLine;&NewLine;&Tab;

Description: A sandboxed application could misuse the accessibility API without the user's knowledge. This has been addressed by requiring administrator approval to use the accessibility API on an per-application basis.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4427 : Paul S. Ziegler of Reflare UG

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Bash

&NewLine;&NewLine;&Tab;

Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands

&NewLine;&NewLine;&Tab;

Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.

&NewLine;&NewLine;&Tab;

This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.

&NewLine;&NewLine;&Tab;

In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "&lowbar;&lowbar;BASH&lowbar;FUNC<" and suffix ">&lpar;&rpar;" to prevent unintended function passing via HTTP headers.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-6271 : Stephane Chazelas

&NewLine;&NewLine;&Tab;

CVE-2014-7169 : Tavis Ormandy

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Bluetooth

&NewLine;&NewLine;&Tab;

Impact: A malicious Bluetooth input device may bypass pairing

&NewLine;&NewLine;&Tab;

Description: Unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy devices. If a Mac had paired with such a device, an attacker could spoof the legitimate device to establish a connection. The issue was addressed by denying unencrypted HID connections.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4428 : Mike Ryan of iSEC Partners

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

CFPreferences

&NewLine;&NewLine;&Tab;

Impact: The 'require password after sleep or screen saver begins' preference may not be respected until after a reboot

&NewLine;&NewLine;&Tab;

Description: A session management issue existed in the handling of system preference settings. This issue was addressed through improved session tracking.

Description: When an encrypted volume was logically ejected while mounted, the volume was unmounted but the keys were retained, so it could have been mounted again without the password. This issue was addressed by erasing the keys on eject.

Impact: A local user can execute arbitrary code with system privileges

&NewLine;&NewLine;&Tab;

Description: When the CUPS web interface served files, it would follow symlinks. A local user could create symlinks to arbitrary files and retrieve them through the web interface. This issue was addressed by disallowing symlinks to be served via the CUPS web interface.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-3537

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Dock

&NewLine;&NewLine;&Tab;

Impact: In some circumstances, windows may be visible even when the screen is locked

&NewLine;&NewLine;&Tab;

Description: A state management issue existed in the handling of the screen lock. This issue was addressed through improved state tracking.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4431 : Emil Sjölander of Umeå University

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

fdesetup

&NewLine;&NewLine;&Tab;

Impact: The fdesetup command may provide misleading status for the state of encryption on disk

&NewLine;&NewLine;&Tab;

Description: After updating settings, but before rebooting, the fdesetup command provided misleading status. This issue was addressed through improved status reporting.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4432

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

iCloud Find My Mac

&NewLine;&NewLine;&Tab;

Impact: iCloud Lost mode PIN may be bruteforced

&NewLine;&NewLine;&Tab;

Description: A state persistence issue in rate limiting allowed brute force attacks on iCloud Lost mode PIN. This issue was addressed through improved state persistence across reboots.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4435 : knoy

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

IOAcceleratorFamily

&NewLine;&NewLine;&Tab;

Impact: An application may cause a denial of service

&NewLine;&NewLine;&Tab;

Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed through improved error handling.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4373 : cunzhang from Adlab of Venustech

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

IOHIDFamily

&NewLine;&NewLine;&Tab;

Impact: A malicious application may be able to execute arbitrary code with system privileges

&NewLine;&NewLine;&Tab;

Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4405 : Ian Beer of Google Project Zero

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

IOHIDFamily

&NewLine;&NewLine;&Tab;

Impact: A malicious application may be able to execute arbitrary code with system privileges

&NewLine;&NewLine;&Tab;

Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4404 : Ian Beer of Google Project Zero

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

IOHIDFamily

&NewLine;&NewLine;&Tab;

Impact: An application may cause a denial of service

&NewLine;&NewLine;&Tab;

Description: A out-of-bounds memory read was present in the IOHIDFamily driver. The issue was addressed through improved input validation.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4436 : cunzhang from Adlab of Venustech

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

IOHIDFamily

&NewLine;&NewLine;&Tab;

Impact: A user may be able to execute arbitrary code with system privileges

&NewLine;&NewLine;&Tab;

Description: An out-of-bounds write issue exited in the IOHIDFamily driver. The issue was addressed through improved input validation.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4380 : cunzhang from Adlab of Venustech

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

IOKit

&NewLine;&NewLine;&Tab;

Impact: A malicious application may be able to read uninitialized data from kernel memory

&NewLine;&NewLine;&Tab;

Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4407 : &commat;PanguTeam

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

IOKit

&NewLine;&NewLine;&Tab;

Impact: A malicious application may be able to execute arbitrary code with system privileges

&NewLine;&NewLine;&Tab;

Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4388 : &commat;PanguTeam

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

IOKit

&NewLine;&NewLine;&Tab;

Impact: A malicious application may be able to execute arbitrary code with system privileges

&NewLine;&NewLine;&Tab;

Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4418 : Ian Beer of Google Project Zero

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Kernel

&NewLine;&NewLine;&Tab;

Impact: A local user may be able to determine kernel memory layout

&NewLine;&NewLine;&Tab;

Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4371 : Fermin J. Serna of the Google Security Team

&NewLine;&NewLine;&Tab;

CVE-2014-4419 : Fermin J. Serna of the Google Security Team

&NewLine;&NewLine;&Tab;

CVE-2014-4420 : Fermin J. Serna of the Google Security Team

&NewLine;&NewLine;&Tab;

CVE-2014-4421 : Fermin J. Serna of the Google Security Team

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Kernel

&NewLine;&NewLine;&Tab;

Impact: A maliciously crafted file system may cause unexpected system shutdown or arbitrary code execution

&NewLine;&NewLine;&Tab;

Description: A heap-based buffer overflow issue existed in the handling of HFS resource forks. A maliciously crafted filesystem may cause an unexpected system shutdown or arbitrary code execution with kernel privileges. The issue was addressed through improved bounds checking.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4433 : Maksymilian Arciemowicz

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Kernel

&NewLine;&NewLine;&Tab;

Impact: A malicious file system may cause unexpected system shutdown

&NewLine;&NewLine;&Tab;

Description: A NULL dereference issue existed in the handling of HFS filenames. A maliciously crafted filesystem may cause an unexpected system shutdown. This issue was addressed by avoiding the NULL dereference.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4434 : Maksymilian Arciemowicz

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Kernel

&NewLine;&NewLine;&Tab;

Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel

&NewLine;&NewLine;&Tab;

Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4375 : an anonymous researcher

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Kernel

&NewLine;&NewLine;&Tab;

Impact: A person with a privileged network position may cause a denial of service

&NewLine;&NewLine;&Tab;

Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2011-2391 : Marc Heuse

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Kernel

&NewLine;&NewLine;&Tab;

Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel

&NewLine;&NewLine;&Tab;

Description: An out-of-bounds read issue existed in rt&lowbar;setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4408

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Kernel

&NewLine;&NewLine;&Tab;

Impact: A local user can cause an unexpected system termination

&NewLine;&NewLine;&Tab;

Description: A reachable panic existed in the handling of messages sent to system control sockets. This issue was addressed through additional validation of messages.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4442 : Darius Davis of VMware

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Kernel

&NewLine;&NewLine;&Tab;

Impact: Some kernel hardening measures may be bypassed

&NewLine;&NewLine;&Tab;

Description: The random number generator used for kernel hardening measures early in the boot process was not cryptographically secure. Some of its output was inferable from user space, allowing bypass of the hardening measures. This issue was addressed by using a cryptographically secure algorithm.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4422 : Tarjei Mandt of Azimuth Security

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

LaunchServices

&NewLine;&NewLine;&Tab;

Impact: A local application may bypass sandbox restrictions

&NewLine;&NewLine;&Tab;

Description: The LaunchServices interface for setting content type handlers allowed sandboxed applications to specify handlers for existing content types. A compromised application could use this to bypass sandbox restrictions. The issue was addressed by restricting sandboxed applications from specifying content type handlers.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4437 : Meder Kydyraliev of the Google Security Team

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

LoginWindow

&NewLine;&NewLine;&Tab;

Impact: Sometimes the screen might not lock

&NewLine;&NewLine;&Tab;

Description: A race condition existed in LoginWindow, which would sometimes prevent the screen from locking. The issue was addressed by changing the order of operations.

Description: A user interface inconsistency in Mail application resulted in email being sent to addresses that were removed from the list of recipients. The issue was addressed through improved user interface consistency checks.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4439 : Patrick J Power of Melbourne, Australia

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

MCX Desktop Config Profiles

&NewLine;&NewLine;&Tab;

Impact: When mobile configuration profiles were uninstalled, their settings were not removed

&NewLine;&NewLine;&Tab;

Description: Web proxy settings installed by a mobile configuration profile were not removed when the profile was uninstalled. This issue was addressed through improved handling of profile uninstallation.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4440 : Kevin Koster of Cloudpath Networks

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

NetFS Client Framework

&NewLine;&NewLine;&Tab;

Impact: File Sharing may enter a state in which it cannot be disabled

&NewLine;&NewLine;&Tab;

Description: A state management issue existed in the File Sharing framework. This issue was addressed through improved state management.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4441 : Eduardo Bonsi of BEARTCOMMUNICATIONS

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

QuickTime

&NewLine;&NewLine;&Tab;

Impact: Playing a maliciously crafted m4a file may lead to an unexpected application termination or arbitrary code execution

&NewLine;&NewLine;&Tab;

Description: A buffer overflow existed in the handling of audio samples. This issue was addressed through improved bounds checking.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4351 : Karl Smith of NCC Group

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Safari

&NewLine;&NewLine;&Tab;

Impact: History of pages recently visited in an open tab may remain after clearing of history

&NewLine;&NewLine;&Tab;

Description: Clearing Safari's history did not clear the back/forward history for open tabs. This issue was addressed by clearing the back/forward history.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2013-5150

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Safari

&NewLine;&NewLine;&Tab;

Impact: Opting in to push notifications from a maliciously crafted website may cause future Safari Push Notifications to be missed

Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.

Description: A null dereference existed in the handling of ASN.1 data. This issue was addressed through additional validation of ASN.1 data.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4443 : Coverity

&NewLine;&Tab;

&NewLine;

&NewLine;&Tab;

&NewLine;&Tab;

Security

&NewLine;&NewLine;&Tab;

Impact: A local user might have access to another user's Kerberos tickets

&NewLine;&NewLine;&Tab;

Description: A state management issue existed in SecurityAgent. While Fast User Switching, sometimes a Kerberos ticket for the switched-to user would be placed in the cache for the previous user. This issue was addressed through improved state management.

Description: Apps signed on OS X prior to OS X Mavericks 10.9 or apps using custom resource rules, may have been susceptible to tampering that would not have invalidated the signature. On systems set to allow only apps from the Mac App Store and identified developers, a downloaded modified app could have been allowed to run as though it were legitimate. This issue was addressed by ignoring signatures of bundles with resource envelopes that omit resources that may influence execution. OS X Mavericks v10.9.5 and Security Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these changes.

&NewLine;&NewLine;&Tab;

CVE-ID

&NewLine;&NewLine;&Tab;

CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day Initiative

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.